Computer Forensics for everyone

Monday, March 4, 2013

The Options

As with nearly all programs
in Linux there is a help file that allows the user to see what options are
available and the proper syntax.
Unfortunately ftkimager does not have a man or info page so we
will have to settle with the help file.
You can access the help file by either typing a wrong syntax after
ftkimager OR you can type the following syntax sudo ftkimager –help and hit enter.

It is also important to note
that double dashes “—“ are required to make all the options work instead of the
standard single dash or forward slash.

A list of options and a short
explanation for each will appear. I will
try to go into a little better detail for some of the options while others are self-explanatory. I will explain the different options first
and then go into detail about how to use the syntax correctly after. If you want to just see how to run the syntax you can jump to near the end.

--help : This will show the help file. (duh)

--list-drives :
This will show you a list of drives that are available to use, either to copy
from or a drive to copy the information to.
It can be shown as a /dev/sda
or a /media/[media name] or however
you have your media connected. It is not
as important to know which type of connection it is as long as you know which
drive is which.

--verify :
This option will allow you to verify that the image was successful in copying
correctly. This will usually take about
as long as it did to image the drive so be prepared to wait a while if you have
a large drive you are imaging. It will
also provide you with the hash value of the source and destination images so
that you can be sure that they are the same.
I would suggest this for any drive that you want to ensure the integrity
of and I usually use it all the time even for small things like testing just so
I am in the habit.

--print-info /drive :
This option will allow the user to identify different characteristics about the
drive they are either acquiring or the drive they are putting the image on. It will tell you the drive geometry as well
as the physical information such as connection type and drive model. This can be useful if you are not 100% sure
about which drive is which and need to see more information about the device.
It can also be useful when doing documentation of the drive for your paperwork
if needed. As a side note here, this
will not actually perform any function other than listing the information. If this is added to a string then the whole
thing will be “theoretical” in the sense that no actual image will be created.

--quiet :
This should be obvious to anyone with a little common sense. If you use this option you will not see any
information during the imaging process.
I would suggest not using this option ever because there is no real
legitimate purpose for using it that I can see.

--no-sha1 :
This is another one of those options where it is not really necessary to have
it included in your syntax. It will make
the program not compute the SHA1 has value during the acquisition phase or the
verify phase.

(The
following options are only to be used when you specify the name of the file on
the destination drive)

--s01 : Creates a .s01 file out of your image so that you
can use it programs that work with .s01 files.
(http://www.dfrws.org/CDESF/survey-dfrws-cdesf-diskimg-01.pdf ) provides a list of
different forensics image file types that are used and the .s01 is on the last
2 pages. It is a file type that is
supported in FTK as well as SMART Linux, which I have not had the pleasure of
working with but can be found here [http://www.asrdata.com/forensic-software/smart-linux/
] {gogo inception style side remarks}).
Please do not judge the quality of this blog off of the last sentence
structure, I should probably change it but it does reflect well of my sense of
humor so I believe I will leave it.

--e01 : If you have any experience with forensics and more
specifically EnCase, you should have a pretty good idea about what this option
does. I will give you a hint *It creates
an .e01 file so you can run it in EnCase*… O wait that was a little more than a
hint. O well let us move on to the next
section which deals directly with the .s01 and .e01 files that were created (if
you used the previous options).

--case-number “x”: Provides you with the
ability to set a case number for your acquisition. If there is a space in the number then you
must put them in quotation marks or you will end up with an error. This rule applies to all of the following
options as well.

--evidence-number “x” : Creates an evidence number for your imaged drive
when you convert it to .e01/.s01 so that the program you use will be able to
automatically fill that section in.

--description “x” : Allows you to write up a description of the image
that you are creating such as “Suspect_Whover_Laptop”. Does not have to be elaborate or specific,
really depends on the way that your investigation needs or your company does
it.

--examiner “x: : Examiners name…. That’s you dummy. Sorry, but seriously put your name there or
they will wonder who did the amazing job of imaging the drive (as long as you
follow my blog it should be no problem).

--notes “x” : Put your case notes here if needed. It can be useful if there is something
special about the image or if there is information that anyone working on the
image will need to know.

That
ends the section about e01/s01 files specifically.

--frag x {K|M|G|T} : This option will allow you to break the image into
fragments of a predetermined size for easier storage. The size of each fragment will be “x” in whatever
size section that you selected. You could
also put Kb|Mb|Gb|Tb as well for powers of 10 instead of 2 which is normally
used.

--compress x : sets the compression level from (0-9) where 0=no
compression (which makes on sense because if you put 0 you may as well have not
added this option), 1= fastest compression method, 2= fast but better
compression, and so on and so forth until 9 which creates the best compression
rate but will also be the slowest.

The next section is about
encrypting the image

*Note – This section is optional but if you are
working with all Access Data tools such as the Forensics ToolKit (FTK) for the
main investigation it may be worth using these options. That being said, if you are planning on using
EnCase, Autopsy, or any other number of forensics tools I would suggest not
using the encryption methods mentioned here and instead use something like Truecrypt
or other means to protect your information.
I also do not have a lot of experience using the encryption functions
with FTK imager lite so I would strongly urge you to think about using the
following functions. I will continue to
research this section more and will have another update on it at a later date.
(for now you can read Zoltan Szabo’s blog post about FTK imager encryption as
it is really good. http://zoltandfw.blogspot.com/2012/10/ftk-imager-cli-with-certificate.html)

--outpass “x” : Encrypts
the image with the password “x”. This
should be used if it the image needs to be kept private from other people or if
being used on a drive that multiple people use.
It is probably good habit to use this command if you deal with lots of sensitive
information.

--inpass “x” : decrypts an
image from the source file with the password “x”. This is the opposite of the outpass option and is used to decrypt
what that encrypted.

--outcert C “x” : this encrypts the image using a certificate “C”
with the password “x”. This will ensure
that your image can only work with Access Data products by creating a certificate
that is unique to their forensics tools.
I would be hesitant about using this

Usage

Wooo,
now we get to the part where I stop droning on about options and what not and
get to the good stuff, how to actually use this tool. Overall it is not a hard tool to understand
once you know what the options do and that is why I included that section
first. The syntax for to make an image
is as follows:

sudo ftkimager
source [dest_file] [options]

Beautiful
isn’t it? Simple and elegant in design and function, and now you should be able
to understand exactly what is needed! Let
us try a few practice commands

sudo ftkimager /sda
/sdb1/cases/Randy\ 5/ --e01 –frag 2GB

This
command will make a copy of /sda (the source) and place it in /sdb1/cases/ (the
dest_file) and name it “Randy 5”. It will be an E01 file and be segmented into
2GB files. Pretty easy right? Let’s try another

sudo ftkimager /sda
/media/travel\ drive/example/john –s01 –quiet

Well
how about that, do you know what all that did?
I will tell you if you don’t. It
created a S01 image of the /sda (usually the main hard drive) and placed it in
the “travel drive” attached media and the example folder in there with the name
john. O and there would be no
information present in the imaging phase to let us know how much longer it has
because of the quiet option.

One
more should do the trick and then we will have a whole bunch of investigators
who are proficient at using this simple tool.

What
would that accomplish? If you said absolutely
nothing you would be correct!! By including the print-info option we have eliminated any actual work and replaced
it with what would happen if we ran it including the hash and and compression
and password.

I
hope that this has been helpful for everyone and you enjoy reading it as much
as I did writing it. I plan on doing
more work with the SIFT workstation and reviewing more of their tools. If you have any good ideas let me know and
maybe I will get around to doing a review/test of that. Comments are always appreciated and I will
try to take time to answer any questions.

Friday, February 22, 2013

Using the SANS SIFT
workstation you have many options available when you are trying to image a hard
drive, no matter if it is: dead, alive, internal, or external. One of my favorite tools to image with is the
FTK Imager command line program. It is
a lightweight, fast, and efficient means to extract the image from your suspect
drive. You can run the CMD line program
on any operating system with very little difference in syntax but I will be
focusing on the Linux version that comes with SIFT.

This blog post will focus on downloading and installing FTK Imager on your computer and I will put up another post in a couple days about how to actually use the command line tool. I didn't want to overwhelm readers with a huge block of text so I decided to break up the information into two separate posts.

Before we can use FTK Imager
we need to have it installed on the computer.
If you have SIFT it is already installed and you do not need to know how
to install it but other versions of Linux do not have it installed by default
and need to grab it from (http://www.accessdata.com/support/product-downloads). You can
select the version that you need and it will be downloaded to your machine for
installation.

I am assuming that the majority of people reading
this will know at least a small bit about Linux that they will be able to
install it without any troubles but for those of you who are completely new to
the glory that is Linux I will give you a short explanation of how to install
FTK on your computer.

First thing is first, find
out whether you have a 32-bit or 64-bit version of Linux by typing the
following command in the terminal uname –m. if it comes back with
“x86_64” then you have a 64-bit kernel and if it comes back with “i686” you
have a 32-bit kernel. Select the
appropriate version and download it to whatever directory that you use, it is
set to the Downloads folder by default.

You can install it through
the GUI, but what fun is that? We are
using Linux so we should know how to do everything through the terminal because
it really allows you to know what is going on under the hood as well as making
you feel like a superstar computer user.

Upon downloading the file to
the Downloads folder, open up your terminal and navigate there by using the cd
command. If you want to cheat and are in
your own accounts terminal rather than root you can just type cd
~/Downloads. The ~ character
represents your home folder and if used in with the cd command will take you to your home folder no matter where you
are in the computer. When you get to the
Downloads folder you can use the ls command
to view all of the files in that directory. (On a side note I use the words
directory and folder interchangeably when dealing with Linux, which they are)
Determine what the FTK download is named, usually
“ftkimager.x.x.x_UbuntuXX.tar.gz where x.x.x stands for the version number of
FTK that was downloaded and XX is the version that was selected (32 or 64 bit).

The next step is to extract
the executable from the tar.gz file by using the command sudo tar –zxvf [filename]
the switches used mean different things and must be used in the correct case,
in this instance they are all lower case.
The z is for the .gz portion
of the compression, x is to extract
the information from the .tar portion of the compression, v stands for verbose but this switch is optional, and finally f stands for the file that will be
extracted from.

HURRAY!!! We now have the
file extracted and are ready to install it and start acquiring everything in
sight! Now installing this can be incredibly difficult for anyone, even those
with lots of experience…. No not really, it is actually as simple as moving the
extracted file to a new directory. Now I
am going to use the directory that SIFT uses for ftkimager: “/usr/local/bin/”. The syntax for the move is simple: sudo mv ftkimager /usr/local/bin/ and
that is all there is to it.

Now we are
ready to start using the command line version of FTK Imager.

Wednesday, February 13, 2013

I've been pretty quite on here lately due to graduating, moving to New York City to start my new job, and everything else that is changing but I am going to try to start writing here on a more regular basis. I started my new job at Huron Consulting Group as a computer forensics analyst in their legal department and I can say that it is an interesting experience coming from college to the real world finally.

In between projects I have the opportunity to do some research of my own and I have been dedicating my time to reading Digital Forensics with Open Source Tools (http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)and following along with that as well as teaching myself Java programming.

I have also had the opportunity to continue working with the SIFT workstation that is provided by SANS Forensics.(http://computer-forensics.sans.org/community/downloads) This is one of my favorite forensics tools to use as it already has a fantastic collection of tools and is available as a live cd so that I can image or run tools on the go without having to install anything. I would like to start doing a tutorial of the different tools involved with SIFT and how it can be used either by itself or in conjunction with other tools for verification or to fill in the gaps of other tools.

Another tool that I have been really excited to work with is the Tapeworm tool. (http://feedthetapeworm.com/) This tool was created by a team of Champlain College students/faculty and TASC Inc. It is a great project that automates some important tools and gives the investigators a nice record of the results. It is only available as a VM right now and should only be used in VMware Workstation 7 or VMware Player 3 due to memory leak issues when used with newer versions of VMware. I would highly recommend everyone taking a look at the site and trying it out.

As I said earlier I will be trying to make an effort to update this blog more often and have some more research on my different projects and research.

Wednesday, November 7, 2012

Its been a while since Ive written anything on here so I thought I would do a short update of what is going on with my project.

I have narrowed my scope down to 5 areas of investigation to make more effective use of my time: Timeline analysis, connected USB devices, email investigation, internet history artifacts, and changes made to the file structure when programs are installed. It is not a large list but I think it hits a lot of the major areas of forensics investigation.

I created a VM using vmware workstation and created 4 unique profiles, giving them specific interests and programs to use. I modeled it on a small family and generated around 13 pages of documentation including websites visited, programs downloaded, manipulating files, emails both from thunderbird and webmail, and transferring files. I will release the documentation soon along with the virtual machine and the images I created from it. My goal is to have to create a VM that can be used for testing tools for verification purposes. It is a well documented file and if the tool results are released as well they can be compared to other tests and see if the tools are working correctly.

My other side of the project is explaining how testing the tools is necessary when performing an investigation, especially if the results are going to be presented in court. I am using papers written by Cory Altheide and Brian Carrier as resources and interviewing forensics investigators on their views of both closed and open source products and the ways that they verify the tools.

If anyone would like a copy of my work or has any questions about what I am doing please just leave a message or email me. I am happy to help anyone that I can.

Friday, September 7, 2012

As I near the end of my days at Champlain College I am being tasked with a large project that every senior at this school must face. their final project which is Capstone. This project serves to combine everything we have learned from our CORE classes and major classes to produce a unique project that is different depending on the major. Since I am in Computer and Digital Forensics (the best major ever) I have the opportunity to do a piece of major research on a topic of my choice. With the help of Jon Rajewski and Mike Wilkinson I have decided to work on a comparison of the open-source forensics operating system SIFT against proprietary software such as EnCase and FTK.

In addition to the forensics information that I will be posting I will have posts relating to the capstone class which include insights into why I have chosen this project as well as what I hope to achieve. The class is very ethically heavy and deals with many topics that make us reflect on why we do things as well as where we want to be. I will be using this blog to help document my work and share everything I learn with the forensics professionals.

I look forward to working on this project and hope that people will comment on the work if they have suggestions or comments for me.

Tuesday, July 31, 2012

Autopsy 3.0

What is Autopsy

Autopsy is an open source forensics tool that can be
compared to FTK or EnCase and is able to assist investigators when working on
cases. It is created by Brian Carrier, the same person who made the Sleuth Kit
which Autopsy is based off of.

What is New in Version 3

Autopsy 3 has been completely rewritten from version 2 and
includes many new tools and options that previous versions did not have.
Autopsy 2 was a browser based tool, which meant that it ran through a web browser,
specifically Mozilla’s Firefox. Version 3 has changed to be a self-reliant
program that does not need to be run through Firefox and has the look and feel
of a traditional forensic program. Autopsy 3 also has included a new function
called ingest modules that analyze data, list the information in tree format,
and allow searches based on: keywords, hashes, and recent activity.
Investigators who have used older versions of Autopsy will notice the
restructuring of the program and the addition of the single navigation tree
that creates a cleaner and streamlined look.

Where to Get Autopsy 3.0

Autopsy 3.0 can be acquired from different sources, but the
most reliable source is to go to the website for the Sleuth Kit (http://www.sleuthkit.org) and select the
projects tab at the top:

Next navigate to the Autopsy page by selecting Autopsy on
the side bar.

Select Download followed by “Download Beta Version 3.0.0b4
(July 3, 2012), or the newest release available of Version 3.

You will be taken to the Sourceforge site for the Autopsy
browser and given a list of versions to download. Select the newest version
available to download and it will automatically start after a five second
delay. After Autopsy has been downloaded,
run the installer and then Autopsy will be ready for use.

How to Start a Case

Starting a case in Autopsy 3 is simple and easy to learn for
anyone ranging from forensics investigators all the way to curious users or IT
support. Upon starting Autopsy 3, a window will open with three selections to
make: create a new case, open existing case, or to open a recent case.

For this tutorial we will select the “Create New Case”
option and be directed to a new window that will have information to fill in,
and for this tutorial we will be naming the case “Test.”

After the information has been filled in select the next
button. The next window will allow the investigator to fill in the case number
and examiner name. This is for the purpose of creating better documentation and
logging. After the information is filled in select the finish button to
continue.

The next step in the investigation will be to add an image
file to the case. The image file can be chosen from a wide variety of formats
including: img, dd, 001, aa, and e01. Use the browse button to find the image
that is desired to work with and select add. Options to choose the timezone of
where the image came from as well as to ignore orphan files in FAT file systems
are available to be selected based on the investigators preference and
situation. For this tutorial I am using the Forensics World C.S.I. Challenge
sample image called precious.img. If you would like to follow along with the
tutorial and use the same image for practice you can obtain the image from: (http://myweb.cwpost.liu.edu/cmalinow/csi/tools.html).

After selecting the next button the image will be added to
the case and the next button should be selected again if there are no errors.

The following window will bring the investigator to the
Ingest wizard panel, which is one of the new features offered in Autopsy. There
are three options in the first box: Recent Activity, Hash lookup, and Keyword
Searches.

By selecting any of the options advanced settings can be set
to increase the capabilities of the search. Under the Hash Lookup option there
is the advanced option to add databases of known hashes.

Under the Keyword Search option are many different lists
that can be used to search for information. By default, Phone Numbers, IP
Addresses, Email Addresses, and URL’s are available. Select the Advanced button
and a Keyword List Configuration window will open. In this new window select
New List and type the name that is desired for the list. This makes it easier
to search by subject matter or other organizational methods. For now the list
Test keywords will be used to create a list. In the adjacent pane there is a
blank section with a word bar and an Add button next to it. Type the keyword
desired (case sensitive) and select Add to add the word to the list. There is
also the option to select Regular Expression.
This allows the investigator to further narrow the field to search in by
selecting what the keyword is that is being searched for including: passwords,
emails, text file name, domains, and many more options.

For this tutorial the keywords that are used are chosen
because of the content in the image that is being used so the best results will
be found.

After finishing the keyword parameters the screen will be
laid out for the user.

Notice how everything is laid out in “tree” format much like
in the popular programs such as EnCase.
This is one of the new features in 3.0 and is helpful as it allows the
investigator to organize much easier. After the image is indexed the tree will
be populated by the file system, extracted content, keyword searches, and the
hash list (if any were used).

One of the first things the investigator should do is to
generate a report. This will allow the investigator to have an idea of what
type of information is available and what to expect. The report can be generated
in three formats: Excel, XML, and HTML. It also has the ability to select what
information to display with choices that can be seen in the image below.

With the report on hand the investigator will have an idea
of what to expect as well as a list of programs that are installed on the
machine. This will allow the investigator to look for specific files or keep an
eye out for certain markers. For example, if TrueCrypt is installed on the
computer then the investigator will know that there is a chance of a TrueCrypt
volume on the computer and can look for it. Another example of using reports is
to look at the attached device list and compare that to removable media that
was also seized. This can help investigators gather all the evidence they need
to perform a complete investigation.

Looking at the tree, the top selection is titled “Images”
this is where the acquired image is located and the bulk of the investigation,
will take place. If the Images tab is expanded the investigator will see each
image that was added to the investigation. By expanding an images tab the
volumes of the image will be seen including the file system and unallocated
space. Expanding the tab that contains the Operating System will give the
investigator a look at the root directory and the tree that contains most of
the relevant information. This is the same as if the investigator would open
the default drive when browsing through a system.

Below the Images tab is the “Views” tab that will allow the
investigator to separate the information in the image into different categories
such as by file types and by recent documents. The file type can be broken down
into: images, video, audio, and documents which includes the major text
formats. Another section in the Views tab is a new feature in Autopsy 3, the
Recent Files tab. This tab allows the investigator to get a rough outline of
what happened in the last 6 days of use by the suspect. The results include
registry files, documents opened, and programs run.

The next tab that is seen is the Results tab, this is a new
feature that displays all the information from the ingest process. This uses
the program BEViewer to look for certain information inside of the data and
separate it into sections that make it easier to search for specific data
instead of going through all of the information manually. Although this
simplifies the investigation process, it does not mean that this is all of the
information that is able to be gained through an investigation.

There are 4 main categories when separating the Results tab:
Extracted Content, Keyword Hits, Hashset Hits, and E-mail Messages. Each of
these sections has subsections that allow for more specific information
divisions. In the Extracted Content tab there are sections for: Bookmarks,
Cookies, Web History, Downloads, Recent Documents, Installed Programs, and
Device Attached.

The bookmarks tab contains information on bookmarks created in
the internet browsers so the investigator can see a list of sites that the
suspect frequented enough to create a bookmark for. The cookies tab will allow
investigators to see a general idea of where the suspect has been recently by
looking through the cookies and seeing which sites have cookies stored on the
computer. The Web history tab searches for .dat files and lists them to show
another list of internet usage through web browsers. The download tab allows
for the search for any downloads on the suspect computer. Recent documents will
show documents that were opened on the machine recently by looking at their
metadata and deciding how long ago a document was opened. The installed
programs tab will give the investigator a list of programs that are currently
installed on the machine. The tab for attached devices is obtained by looking
through the registry files and determining which hardware devices have been
plugged into the system at one point or another.

Under the keyword hits tab the investigator will see all the
options that were selected in the ingest index window when starting the case.
The information includes: phone numbers, URLs, email addresses, search words by
the user, IP addresses, and regular expression searches.

The tab for hashset hits only has results if a list library
was added to the case before hand to run matches against. If the investigators
had a hash library of known child pornography or pirated material they could
run all the information on the computer against the library and all of the
results would be placed in the hashset hits tab.

The e-mail message tab will place any emails from a desktop
client in the tab for review. The supported programs are Microsoft Outlook and
Mozilla Thunderbird as of now but more are scheduled for support in the future.

Wednesday, June 20, 2012

I am currently researching and writing a report on Linux forensics investigation techniques and tools. I have had a infatuation with Linux for a few years now and am glad that I can finally merge my major with a hobby. For this report I am researching multiple open source forensics tools that would help in investigations and TSK (The Sleuth Kit) was one of the major highlights of my research. One of the key components of TSK is the Autopsy forensics browser, and as they just released their beta for 3.0 I decided that in addition to my basic overview for the report I would also do a review of the Autopsy beta. I hope to have an outline and basic review up in the next few days so check in soon to see the updates.

Followers

About Me

I currently work as a Computer Forensics Analyst in NYC. All of the material presented here are my own and do not reflect the opinions of my employer. I am interested in digital forensics, open source tools, and computers in general.